DET0453: Detection Strategy for SNMP (MIB Dump) on Network Devices
DET0453 is a MITRE detection strategy for identifying SNMP MIB dump activity against network devices, related to ATT&CK technique T1602.001. The business s...
Analyst context for executives and security teams
DET0453 is a MITRE detection strategy for identifying SNMP MIB dump activity against network devices, related to ATT&CK technique T1602.001. The business significance is that SNMP-accessible MIB data can expose configuration and operational details from managed network infrastructure. For leaders, this is less about one alert and more about whether the organization can see management-plane collection against routers, switches, and similar devices before it informs broader intrusion activity or operational disruption.
Executive priority
Prioritize this as a network infrastructure visibility and resilience question. Executives and security leaders should ask whether SNMP use is inventoried, whether access to network-device management interfaces is controlled, and whether the SOC has evidence to distinguish expected monitoring from unusual MIB enumeration. This can support incident readiness, audit evidence for infrastructure access controls, and budget decisions around network telemetry, device logging, and management-plane segmentation.
Technical view
ATT&CK provides no official description or detection logic for DET0453, but the relationship to T1602.001 anchors the scope: collection against SNMP MIB data on Network Devices. SOC and detection engineering teams should validate whether they can observe SNMP queries to network devices, especially broad OID enumeration or repeated reads that resemble MIB dumping, while accounting for legitimate network management systems. IR teams should be prepared to correlate SNMP activity with device access history, configuration state, and authorized monitoring sources.
Likely telemetry
- Network flow records or packet metadata showing SNMP traffic to network devices
- Network device management-plane logs, where available
- SNMP service logs or audit records, where supported by the device or management platform
- Configuration and access-control records for authorized SNMP managers and communities/users
- Asset inventory identifying network devices where SNMP is enabled
Detection direction
- Baseline authorized SNMP managers and expected polling patterns before alerting on MIB-dump-like volume or breadth.
- Look for SNMP access to network devices from unexpected sources or outside approved management paths.
- Tune detections to reduce false positives from legitimate monitoring, discovery, and inventory tools.
- Correlate suspected MIB enumeration with network-device inventory, SNMP configuration, and any management-plane access events.
- Treat lack of device-side SNMP logging as a coverage gap; network telemetry may be the deciding evidence source.
Mitigation priorities
- Inventory network devices with SNMP enabled and confirm business justification.
- Restrict SNMP access to approved management systems and management networks.
- Review SNMP authentication and authorization configuration consistent with organizational standards.
- Limit exposed management-plane paths to network devices wherever operationally feasible.
- Maintain audit-ready records of authorized SNMP sources, device configurations, and monitoring exceptions.
Analyst notes and limits
The strongest use of this object is as a validation prompt: can the organization detect collection-oriented SNMP activity against network devices, and can it separate sanctioned monitoring from suspicious enumeration? Because DET0453 has no official detection text, local baselines and device capabilities are essential.
The supplied ATT&CK object has no official description, no official detection content, no listed tactics or platforms on the detection-strategy object itself, and only one relationship: it detects T1602.001, SNMP (MIB Dump), which is a collection technique on Network Devices. Recommendations therefore remain conservative and require local environment evidence.
Detection Strategy for SNMP (MIB Dump) on Network Devices
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1602.001 | SNMP (MIB Dump) Sub-technique | This object detects SNMP (MIB Dump). |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 98573659b85b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0453Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.